ares_create_query single byte out of buffer write

VULNERABILITY

When a string is passed in to ares_create_query or ares_mkquery and uses
an escaped trailing dot, like "hello\.", c-ares calculates the string length
wrong and subsequently writes outside of the allocated buffer with one byte.
The wrongly written byte is the least significant byte of the 'dnsclass'
argument; most commonly 1.

Proof of concept code have showed how this can be exploited in a real-world
system, but we are not aware of any exploits having actually happened in the
wild.

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2016-5180 to this issue.

AFFECTED VERSIONS

This flaw exists in the following c-ares versions.

Affected versions: c-ares 1.0.0 to and including 1.11.0

Not affected versions: c-ares >= 1.12.0

THE SOLUTION

In version 1.12.0, the function has been corrected and a test case have been
added to verify.